Webserver scanning
Related
Common wordlists
General
/usr/share/seclists/Discovery/Web-Content/common.txt/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
CGI
/usr/share/seclists/Discovery/Web-Content/CGIs.txt
SharePoint
/usr/share/wordlists/SecLists/Discovery/Web_Content/sharepoint.txt
gobuster
GitHub - OJ/gobuster - Directory/File, DNS and VHost busting tool written in Go
File extensions
IIS
Apache / nginx
wfuzz
GitHub - xmendez/wfuzz - Web application fuzzer
fuff
Fast web fuzzer written in Go. fuff
Enumerate usernames
Brute force passwords
nikto
GitHub - sullo/nikto - Web server scanner
dotdotpwn
GitHub - wireghoul/dotdotpwn - The Directory Traversal Fuzzer
dirb
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
DirBuster
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
Web application firewall (WAF) detection
You can use wafw00f to detect web application firewalls (WAFs).
wappalyzer (firefox add-on)
Last updated